Question: Has the organization established and maintains an authoritative inventory of information assets and data stores (on-prem, cloud, SaaS)?
Objective — Why This Matters
You cannot protect what you don’t know exists. A single source of truth for assets and data stores prevents blind spots, enables patching and backup coverage, and anchors every other control (access, monitoring, recovery).
Maturity Levels (0–5)
0 — Unaware
No consolidated inventory; knowledge lives in people’s heads.
No consolidated inventory; knowledge lives in people’s heads.
1 — Ad Hoc
Partial spreadsheets; inconsistent identifiers; cloud/SaaS largely missing.
Partial spreadsheets; inconsistent identifiers; cloud/SaaS largely missing.
2 — Defined
Inventory template set (owner, purpose, criticality, location, data type); periodic manual updates.
Inventory template set (owner, purpose, criticality, location, data type); periodic manual updates.
3 — Managed
Discovery integrated (agents/APIs); change control updates inventory; coverage KPIs tracked.
Discovery integrated (agents/APIs); change control updates inventory; coverage KPIs tracked.
4 — Integrated
Inventory feeds patching, backups, and monitoring; stale entries auto-flagged.
Inventory feeds patching, backups, and monitoring; stale entries auto-flagged.
5 — Optimized
Near-real-time discovery with reconciliation; lifecycle and cost insights inform decisions.
Near-real-time discovery with reconciliation; lifecycle and cost insights inform decisions.
How to Level Up
| From → To | Actions |
|---|---|
| 0 → 1 | Publish a simple template; capture the top critical systems and data stores. |
| 1 → 2 | Add fields: owner, business purpose, data classification, location, dependencies. |
| 2 → 3 | Connect cloud and SaaS APIs; schedule monthly reconciliations. |
| 3 → 4 | Link inventory to patching, backup, and monitoring coverage reports. |
| 4 → 5 | Enable automatic stale-record detection and lifecycle analytics. |
People / Process / Technology Enablers
- People: Asset Owner per item, Inventory Coordinator, System Owners.
- Process: Discovery SOP, monthly reconciliation, joiners/movers/leavers hooks.
- Technology: CMDB/inventory tool, cloud/SaaS API connectors, tag conventions.
Evidence Required
- Current export of inventory with owners and last-seen timestamps.
- Reconciliation log from the last cycle.
- Coverage reports (patch/backup/monitoring) joined to inventory.
Metrics / KPIs
- Inventory coverage percentage against discovery signals.
- Median age since last-seen for assets and data stores.
- Number of orphaned assets (no owner) and time to assign owner.
Low-Cost / Open-Source Options (MSME)
| Purpose | Tool | Notes |
|---|---|---|
| Inventory | Snipe-IT / Google Sheets | Start simple; enforce unique IDs and owners. |
| Cloud/SaaS | Cloud provider CLI + export | Periodic export of instances, buckets, databases, SaaS users. |
| Dashboards | Metabase / Redash | Coverage, stale entries, orphaned owners. |
Common Pitfalls
- Treating SaaS apps as “out of scope”.
- No owner field; stale entries never cleaned.
- Inventory not linked to patching/backups/monitoring.
Compliance Mapping
| Standard | Clauses / Notes |
|---|---|
| ISO/IEC 27001 | A.5.9 (inventory of information and other associated assets). |
| NIST CSF 2.0 | ID.AM (asset management). |
| DPDP Act 2023 | Scoping of personal data stores. |
| NIRMATA Scoring | AD-Q01 Level ≥3 requires automated discovery + reconciliation evidence. |